public/mailtrain
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

do not allow script tags in description html

Browse source
This commit is contained in:
Andris Reinman 2017-03-19 14:22:44 +02:00
parent 0879fa412a
commit ae6affda81
5 changed files with 32 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

13
lib/tools.js
View file

@ -9,6 +9,7 @@ let jsdom = require('jsdom');
let he = require('he');
let _ = require('./translate')._;
let util = require('util');
let createDOMPurify = require('dompurify');
let blockedUsers = ['abuse', 'admin', 'billing', 'compliance', 'devnull', 'dns', 'ftp', 'hostmaster', 'inoc', 'ispfeedback', 'ispsupport', 'listrequest', 'list', 'maildaemon', 'noc', 'noreply', 'noreply', 'null', 'phish', 'phishing', 'postmaster', 'privacy', 'registrar', 'root', 'security', 'spam', 'support', 'sysadmin', 'tech', 'undisclosedrecipients', 'unsubscribe', 'usenet', 'uucp', 'webmaster', 'www'];
@ -23,6 +24,7 @@ module.exports = {
formatMessage,
getMessageLinks,
prepareHtml,
purifyHTML,
workers: new Set()
};
@ -232,3 +234,14 @@ function prepareHtml(html, callback) {
return callback(null, juice(preparedHtml));
});
}
function purifyHTML(html) {
let win = jsdom.jsdom('', {
features: {
FetchExternalResources: false, // disables resource loading over HTTP / filesystem
ProcessExternalResources: false // do not execute JS within script blocks
}
}).defaultView;
let DOMPurify = createDOMPurify(win);
return DOMPurify.sanitize(html);
}